I've set up a Veeam PN Hub in Azure and connected a site gateway to it, but the gateway doesn't appear to forward traffic outside of the subnet in which the Hub VM resides. The subnets in my Azure virtual network are as follows:

The Veeam PN VM is assigned to Subnet C, and when connected via my site gateway I can reach other hosts on this subnet, but nothing in subnet A or B. The Veeam PN Route Table has all 3 subnets associated, and I'm able to access hosts on, for example, Subnet A from Subnet C. On my local network, I've got a route for 10.87.0.0/16 with the next hop as my site gateway IP. When connected to my local network, if a run a traceroute on an address in subnet A or B, it tries to route via the site gateway, but then goes back to the site gateway's default gateway (ie my local router). It's like the site gateway isn't recognising any destinations in subnets A or B as needing to be routed over the VPN.

Hello,
and welcome to the forums. I don't have VeeamPN installed but it looks like the routing table is not correct. Can you login to the site gateway and show the routing table output with "route -n" ?

I'm very interested in the answer to this, as I am trying to setup something very similar but hitting the same problem.

In my lab I have a manual wireguard setup and a VeeamPN setup, but they seems quite different. I was expecting VeeamPN to just be a fancy web GUI around the wireguard conf files, but I can't find the wg.veeam interface configuration file anywhere. Does anyone know where it lives? Disclosure: I'm not a linux guy.

Thank you for bringing this scenario up. Originally we didn't plan to support multiple Azure sites, but I think we can find a way out.
Could you please add two of other Azure subnets (A & B)as a two sites in the Azure hub clients list - you don't need to deploy any site gateways there - we need just two more records to be pushed to your routing on your local site gateway (or endpoint connection).

After adding them you will be able to access all resources in subnets A and B because they should be reachable by Azure default routing.
If yo still have any problems could you please post result of the command "ip route" from your Azure hub VeeamPN server?

Answer to next question from DDIT deserves a separate post - I'll prepare it shortly.